# Sunday

## Sunday - 10.10.10.76

### Target Enumeration:

OS: Solaris

IP: 10.10.10.76

User: a3d9498027ca5187ba1793943ee8a598

Root: fb40fab61d99d37536daeec0d97af9b8

### Ports / Services / Software Versions Running

79/tcp open finger

111/tcp open rpcbind

22022/tcp open ssh

33556/tcp open

49596/tcp open

### Vulnerability Exploited:

User enumeration with Finger

SSH bruteforce gives the password sunday for the user

Crack shadow file to login as other user sammy

### Privilege Escalation:

User sammy is allowed to use wget as root

Overwrite the sudoers file to get root

### Exploiting the host:

Nmap

![](https://lh5.googleusercontent.com/Smj-M96QVNAFlj2GB_Lc1lvVeCPQDyCpP3T84snDYvNYFFXnkQBEz8U5QEii4ULuMTExUMuYccdiAsX73Jz6-qloAd-4IYDQI3QFc7W3BQpeM34240GfVx_9Zr-CoTAiWrkiyhwr)

Finger the host to get a user who is logged in:

<div align="left"><img src="https://lh4.googleusercontent.com/VrWEWJ1lz90IwfHwuWtP5LkTmjBbOsOUfbcSi5YIBBSuKudUMwvLBg8G3I698-MR_6EylFc8OTPluLTfXkQapTLD2Mtba0I293cNNHJMZoMs5_BUNzm4ILG4m5ZbI3Y7TPLpg8wM" alt=""></div>

Bruteforce the account with a small wordlist

![](https://lh6.googleusercontent.com/33KG77GuGFZJxPfNNBw_7-SvuraHg4Q7g1zrEeM_3dEmIkqfRtUB6mnitxRRwfL2_QAJsfITG-6BO7lugQ9hU3HLWmqoWg9-030i1DwTYYqYLImFp8iKEUOd3HrhoiS2oUesMsjH)

Login to the account and start enumerating the system.

There is a folder called backup in the root dir with a copy of the shadow files:

![](https://lh6.googleusercontent.com/mg-xohqOcxwZHSKc6wKucXyKg6VqLW-it36rFOA74CPVb_oFE40lhCKYtWlSrRThQ5KH_VX7cwZC43leqB6t88qaxrNHvkCZUUl2_7T4W9LAf_degVT9zFhnwBzuMRjUXD56wzgF)

Unshadow the file to get the hashes

![](https://lh4.googleusercontent.com/OHDZ3RKYl5W7ox-f12O45EwM9QTJXUUQTjkUQawyBWmT-FqQiyB8AOq0jB8CIEtrbjNbhTiiePZV1M4Ku5oiKKUDlzA2BSDGaf-UYjXQNmAse2FWAqaCxiFhu3xCCv3K7Vn5ns5X)

Now crack with john and rockyou.

![](https://lh4.googleusercontent.com/fKPK9XjkG1M37ymgvARz3h9EtySdXWcAqBP6_2zdNuDULOmHVuSIvpkDaV-QbqoKhtpWOm1w0tkuFjfJjJNS1ucCsnXbfNWZZwarRm02_NxyjhMKS3ee4COa17VLUPbtp03gKyb5)

Login as the user sammy with the password cooldude!

Find your user.txt

<div align="left"><img src="https://lh5.googleusercontent.com/xFT3fNFZK6JnyN3MD2Ox5420JYJYjCtUC26kW0cMEEN0a5gSk8nw8SKkYxeJNtSxsE62DleCfz4KwPcEWe-zlFZ-29HFXO9b3J3lDNbHKzhLwQXHgyGRaof268CrNi8rsilmfsU1" alt=""></div>

Cat the file to get the flag.

<div align="left"><img src="https://lh4.googleusercontent.com/Pd61R9ycqJWn-V2RftGHW1SzkgkQSSC_geJTi7qRBswE_kCzlL-T5psB4cJ8jcor8azNQZjRSsCesQKn-saHqK3AhRkItEFxjZ7Ahtvx4Npgy8YyuzQW1eg8__jDyymaM6XaMRqJ" alt=""></div>

Sudo -l gives you

<div align="left"><img src="https://lh4.googleusercontent.com/46Ln7-tDHzWjlEIbkKB3EF_MRR5ECObh7WeTFav8AW7ShYsV5OTPVrp19fBRIMp9MtVeMIOSfvBZIVzFpHUi5-p0HqC111o6lXMrRczLd8f5HNiH3lsSoO1D5ZLvRuJWqG2FW6nm" alt=""></div>

We can overwrite files with wget so to exploit create a file locally and host it with python called sudoers with the contents

sammy ALL=(ALL) NOPASSWD:ALL

Once downloaded you have overwritten the sudoers file so all that remains is to sudo su to get root.

![](https://lh4.googleusercontent.com/CZI4FFoUEz7oVTqzT_75RmIzSi9Xqg1cFKHw3jaoNqtvlMtoP1aOHJxFjfEYX28KOsv6sgUM50RIdpx9DyBTy6aCXYMchYxv-5h_Q7W_7BYyRW9NeXhXrI4L--LC0RjlJirNqh5T)